IN THIS ARTICLE
Outlines how to customize the schema used for LDAP user and group membership queries.
- Cluster running Qumulo Core 2.11.0 or later
- Command line (CLI) tools installed via API & Tools tab
With the release of version 2.11.0, you can now connect your cluster to a non-RFC2307 compliant LDAP server instead of the previous behavior of only supporting the schema defined in RFC2307 for LDAP user and group membership queries.
Use one of these two commands to configure your LDAP settings:
To customize the LDAP user and group membership queries, include all of the following new attributes with one of the commands above:
- --custom-login-name-attribute: The attribute on a user object that identifies their login name. (RFC2307 attribute: uid)
- --custom-group-member-attribute: The attribute on a group object which contains references to the members in that group. (RFC2307 attribute: memberUid)
- --custom-user-group-identifier-attribute: The attribute on a user to which the value of the group-member-attribute on a group refers. (RFC2307 attribute: uid)
- --custom-user-object-class: The object class for users. (RFC2307 value: posixAccount)
- --custom-group-object-class: The object class for groups. (RFC2307 value: posixGroup)
- --custom-group-name-attribute: The attribute on a group object that identifies their name (RFC2307 attribute: cn)
- --custom-uid-number-attribute: The attribute on a user object which contains their uid (RFC2307 attribute: uidNumber)
- --custom-gid-number-attribute: The attribute on an object which contains their gid (RFC2307 attribute: gidNumber)
Check out the following example to see the new attributes in action:
qq ldap_set_settings \
--use-ldap true \
--bind-uri ldap://ad-parent.eng.qumulo.com \
--base-dn "cn=Users,dc=ad-parent,dc=eng,dc=qumulo,dc=com" \
--bind-username "cn=Administrator,cn=Users,dc=ad-parent,dc=eng,dc=qumulo,dc=com" \
--bind-password a \
--encrypt-connection false \
--custom-group-member-attribute member \
--custom-group-object-class group \
--custom-login-name-attribute sAMAccountName \
--custom-user-group-identifier-attribute distinguishedName \
The following attributes will remain fixed at their RFC2307-defined values:
- uidNumber: The attribute on a user object that identifies the posix uid number for that user.
- gidNumber: The attribute on a user object that identifies the primary posix gid number for that user.
- gidNumber: The attribute on a group object that identifies the posix gid number for that group.
Once a custom schema is configured, you can test the configuration by running the following command :
qq ldap_login_name_to_gid_numbers --login-name LDAPNAME
IMPORTANT! RFC2307 remains the default schema when no custom schema options have been supplied. If you have applied custom options and wish to revert back to the default, you can use the following command:
qq ldap_update_settings --rfc2307
You should now be able to successfully configure the schema used for LDAP user and group membership queries in Qumulo Core
Like what you see? Share this article with your network!